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Abstract. We show that strict deterministic propositional dynamic logic with 
intersection is highly undecidablc, solving a problem in the Stanford Encyclo- 
pedia of Philosophy. In fact we show something quite a bit stronger. We 
introduce the construction of program equivalence, which returns the value 
T precisely when two given programs are equivalent on halting computations. 
We show that virtually any variant of propositional dynamic logic has IlJ-hard 
validity problem if it can express even just the equivalence of well-structured 
programs with the empty program skip. We also show, in these cases, that 
the set of propositional statements valid over finite models is not recursively 
enumerable, so there is not even an axiomatisation for finitely valid proposi- 
tions. 



1. Introduction 

Determinism has played an unusual role in the study of programs. While most 
actual algorithms are deterministic in nature, there has traditionally been a strong 
theme on modeling programs nondctcrministically. Indeed the standard semantics 
for classic program logics such as dynamic logic, treat programs as binary relations 
on the state space of computer, and (in the standard relational semantics) apply 
constructions such as program union and reflexive transitive closure, which fall 
outside of conventional programming languages. Of course, there are numerous 
good reasons for this: one is attempting to reason about programs more than 
reason from within them. Stating that "property a is true after some number of 
iterates of p" is a useful assertion to make and close to the kind of questions that 
need to be asked in applications such as formal program verification. 

Another occasionally cited reason for the focus on nondeterminism is that log- 
ics based over deterministic programs (partial functions) are known to experience 
an unexpected explosion in complexity. In fact this is only half true. Satisfia- 
bility for strict deterministic PDL (deterministic program variables, and program 
union and * replaced by only conventional constructions of structured program- 
ming: if -then-else and while-do) is only PSPACE-complete [8], while the full 
PDL (over nondeterministic programs), and even strict PDL has EXPTIME-complctc 
complexity (see [llj for these and other similar results). However the introduction 
of program intersection produces enormous contrast. Standard (that is, nonde- 
terministic) PDL with intersection is decidable [3], albeit doubly exponential time 
complete [T3] (a result that has recently been extended to PDL with intersection and 
converse [7j) while Harcl showed that deterministic PDL with intersection (DIPDL) 
has a Il}-hard satisfiability problem, at the first level of the analytic hierarchy! 
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Strangely, it seems unknown what happens between the relatively well behaved 
SDPDL and the unimaginably badly behaved DIPDL. The decidability of strict 
deterministic propositional dynamic logic with intersection (SDIPDL) appears open 
and indeed is stated as such in the Winter 2008 edition of the Stanford Encyclopedia 
of Philosophy [1] . While program intersection is not a conventionally encountered 
programming construction, it is easy to simulate the intersection of two actual 
programs p and q and return the result when and if they both halt and agree. Thus 
it is an available construct of conventional programming even if it is not expressible 
within the language of SDPDL. 

Recently the second author (with Tim Stokes) has examined algebraic formula- 
tions of deterministic program logics and produced a very simple axiomatisation for 
the loop- free fragment of SDIPDL [12]. The validity problem of this fragment is eas- 
ily seen to be NP-complete (by guessing a finite validating model of size polynomial 
in the complexity of a given formula) . The authors of [T2] were rather hopeful that 
despite Harel's famous negative result for DIPDL, the strict fragment might still be 
decidable. In the present article we show this is not the case: SDIPDL also suffers 
nj-hardness. In fact we show a more general result that concerns variants of PDL 
that are not necessarily deterministic. We identify a natural notion of "program 
equivalence" and show that this inevitably leads to IT \ -hardness when expressible in 
a variant of PDL, independently of the constraint of deterministic atomic programs. 
The n}-hardncss of SDIPDL can be explained by the fact that in deterministic vari- 
ants of PDL, intersection can be used to express program equivalence. 

We also show that for variants of PDL capable of expressing program equivalence 
(such as SDIPDL) there is no axiomatisation possible for the propositions satisfiablc 
on finite relational models. 

2. Program constructions 

The usual semantics for program intersection is simply set-theoretic intersection 
of binary relations. Thus the program pP\q relates state s to state t provided that 
both p and q relate s to t. However even if pdq relates state s to t, enacting p and 
state s might give rise to some t' outside of the range of the relation q. We consider 
a reasonable variant of intersection, which we refer to as program equivalence. For 
programs p, q, the proposition p x q ("p tie q" , or "p is equivalent to q") is true at 
a point a if p is equivalent to q at a: in the relational semantics, p x q has truth 
set equal to 

{a | (V6) (a, b) epo (a,b) e q}. 

Program equivalence can be expressed in SDIPDL as (p n q)T V _l ((p)T V (q)T). 
And, provided query is included, SDPDL with program equivalence can express 
intersection: p n q = (p X q)l ; p. 

Our main results will use a construction weaker than program equivalence. Con- 
sider the unary operation Fix acting on programs p to produce a proposition Fix(p) 
that asserts that halting computations of p act effectlessly. In the relational seman- 
tics, 

Fix(p) = {a | (V6) (a,b) ep^ a = b}. 

Our main results are expressed in terms of Fix, however in proofs it is more con- 
venient to use a construction f ix(p), which we define as Fix(p) A (p)T. Note that 
Fix(p) = fix(p) V [p]F, so that fix and Fix are intcrdcfinablc in any reasonable 
variant of PDL. But also, fix (whence Fix) can be expressed in terms of program 
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equivalence as p ix skip (hence it is expressible if (~l is expressible in the determin- 
istic case). On the other hand, ix cannot be expressed using Fix because one can 
find models of DPDL that are closed under Fix but not under program equivalence 
(we omit the details of this claim). 

A key observation in this note is that expressions of the form [a;*] a are express- 
ible in the language of well-structured programs (provided that x and a are): as 
[while a do a;] F. Expressions of the form [(x U y)*]a are fundamental to Harcl's 
original proof of the high undecidability of DIPDL: they are used to interpret an in- 
finite grid. Expressions of this form are not in general expressible in strict forms of 
PDL, however the presence of fix enables something similar to be done in enough 
cases to encode tiling problems. 

3. Tilings 

The undecidability results are proved by encoding tiling problems as originally 
employed by Harel [9]. A finite set of square tiles is a finite set T = {To, . . . , Tk-i} 
of "tiles" endowed with a pair of binary "edge" relations ~/j (horizontal) and ~„ 
(vertical). We interpret T Tj to mean that tile T can be placed on the left of 
tile Tj in a horizontal row. Likewise T Tj is interpreted to mean that T can 
be placed beneath Tj in a vertical column. A natural and very standard geometric 
restriction is that if T, <~/j Tj and TJ. ~/j Tj and ~/j Tf, then T ~# Tg also. 
We will not make use of this restriction, though assuming it does not affect the 
computational complexity of the tiling problems we consider. 

Consider the non-negative integer lattice u> x uj endowed with relations ~/, and 
~„ defined by ~/i (i + and ~„ + 1) for all i,j > (here of 

course, lattice is referring to square grids rather than ordered sets) . A tiling of the 
positive quadrant of the plane (henceforth, a tiling of the plane) is a function from 
uj x uj into T that preserves the relations and Tilings of Z x Z arc defined 
analogously. 

We use two fundamental facts on tiling the plane. 

• Tiling Fact 1. The following problem is £}-complete. Given a finite set 
of tiles T with distinguished subset M of "neon" tiles. Is there is a tiling 
of the plane r in which r(0,0) = To and that r~ 1 (Af) n {(£, i) i € uj} is 
infinite (that is, the diagonal contains infinitely many neon tiles). 

• Tiling Fact 2. Let iSperiod denote the set of finite sets of square tiles that 
can tile Z x Z periodically, and let iSnotiiing denote the set of finite sets of 
tiles that cannot tile the plane at all. Then ^period is recursively inseparable 

from Snotiling- 

Tiling Fact 2 can be found in Boger, Gradel and Gurevich Theorem 3.1.7]: 
tiling periodically means that there is a tiling of Z„ x Z m , with the obvious 
toroidal adjacency constraints (work modulo n horizontally and modulo m ver- 
tically). Tiling Fact 1 is a minor variant of some well known tiling problems in- 
vestigated by Harel; see [TU] or [TT] for example. We now give a brief sketch of a 
proof of the £}-completeness claim. In PJJ p. 233], Harel shows that the following 
problem is £}-complete: given a nondeterministic Turing machine program T, with 
initial state go and started on a one-way infinite blank tape, does T return to the 
state qo infinitely often? We now reduce this problem to the problem in Tiling Fact 
1. We use a modification of the standard translation of Turing machines into tiles, 
as presented, say, by Robinson [2]. Using the nomenclature of Robinson's article, 
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there are essentially four kinds of tile (aside from the blank tile which we will not 
need, as we're only tiling the positive quadrant): the initial tiles (including one 
designated start tile To), the merge tiles, the action tiles and the alphabet tiles. 
The action tiles are constructed according to the commands of the Turing machine 
program. Provided that To is placed at the position (0,0), the tiling can only be 
completed to the nth row if the program can run for n steps of computation with- 
out halting. Moreover, each successfully tiled row encodes the configuration of the 
Turing machine tape at the corresponding step of computation. 

Now duplicate all tiles except initial tiles and action tiles. For each duplicated 
tile, we make the second copy "neon" , and adjust the horizontal edge constraints 
to ensure that neon tiles can be placed horizontally adjacent only to other neon 
tiles (and even then, only if they additionally satisfy the original edge constraints). 
Vertical constraints are unchanged however. Now, replace every action tile that 
encodes a transition into the state go, by a neon copy. These tiles are not to be 
duplicated: they are only neon. Also, action tiles not involving a transition into 
<7o are never neon. Then, in any tiling of the plane, a row containing a neon tile 
must contain only neon tiles. Since each successfully tiled row can contain precisely 
one action tile, the following are equivalent: there is a computation that revisits 
state qo infinitely often; there is a tiling of the plane starting from To and in which 
infinitely many rows are neon; there is a tiling of the plane starting from To and 
in which infinitely neon tiles are placed on the diagonal. As the first of these is 
£}-complete, so the problem in Tiling Fact 1 is Sj-hard. Completeness follows in 
the usual way. 

4. Main argument 

Let T = {To, . . . , Tc_i} be some fixed finite set of tiles. For i = 0, l,...,k— 1 
we let oii denote an atomic proposition variable which we think of as corresponding 
to the placement of tile T. In order to produce our u> x u> grid we introduce four 
atomic program variables: E, W, S and N. Squares of the grid will be created by 
asserting statements of the form f ix(N ; E ; S ; W). We first define the propositions 
required, then explain how these force a tiling. 

Step 0. Defining a square. We need to be able to find squares in both clockwise 
and anti-clockwise directions. We encode the clockwise square by the following 
proposition: 

f ix(N ; S) A [N]f ix(E ; W) A [N ; E]f ix(S ; N) A [N ; E ; S]f ix(W ; E) A f ix(N ; E ; S ; W). 

The anticlockwise square is defined in the dual way, following partial paths through 
E ; N ; W ; S. We denote the conjunction of the two square propositions by square. 
Step 1. To define a grid we use the statement p\. 

[N*][E*]square 

which, as observed above, can be expressed using only modal operators and the 
language of well-structured programs (instead of *). 

Step 2. To force a tiling, we first let a denote the proposition that asserts that 
precisely one of the cti is true. Then, for each i, let f3i denote the disjunction of all 
the atomic tile propositions ctj for which T Tj. Similarly, we let /3 l denote the 
disjunction of the atomic tile propositions cej for which T ~t> Tj. Then, provided 
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FIGURE 1. Selecting the points a^-, and completing the u x w grid. 



we have anuxu grid, a tiling can be forced by p2- 

[N*}[E*} ^A/\( Qi ^([E]AA[Nr))j 

Step 3. To force infinitely many neon tiles in the diagonal, first let neon denote 
the disjunction of the atomic neon tile propositions. Then we use p^: 

[(N;E)*]((N;E)*)neon. 

Theorem 4.1. Fix any variation VPDL of PDL capable of expressing the usual con- 
nectives on propositions, program composition, while-do, modal operators and fix. 
The validity problem for VPDL is Yl\ -hard, regardless of whether atomic programs 
are assumed to be deterministic or not. 

Proof. For any set of tiles T, with neon subset A/", let 7 denote ao A pi A P2 A p$. 
We claim that the following are equivalent: 

(1) T can tile the positive quadrant of the plane with infinitely many neon tiles 
on the diagonal and with To in the (0, 0) position; 

(2) 7 can be satisfied in some relational model where all atomic programs are 
deterministic (even injective partial functions); 

(3) 7 can be satisfied in some relational model. 

Implication 1 =>• 2 is routine, while 2 => 3 is trivial. Now assume that 7 is satisfied 
at some point of a relational model. We label this point by ao,o- Now by p\ we 
have that square holds at ao,o- Thus, the program N ; E is defined at ao,o, because 
ao,o is fixed by N ; E ; S ; W. Then by p 3 , there is a nontrivial iterate of N ; E at 
which neon is true. Thus there is a path of edges from 00,0 alternating N and E and 
leading to a position at which neon is true. We label the points visited along this 
path (after arj.o) by ao,i, Oi,i, a,\,i, 02,2, ■ • ■ ; see the left picture in Figurc[TJ We do 
not rule out the possibility that some points in the model are labelled more than 
once: to produce the tiling, we consider only the labels of the selected points 

Now as square holds at ao,o, we have that after N ; E it is necessary that f ix(S ; N) 
hold. Hence, in particular there is a point ai.o that is reached by an application of 
S from the point ai 1. Again applying square at ao,o, we have that after applying 
N ; E ; S it is necessary that f ix(W ; E). Thus in particular, there is a point a' west 
of aifi. However a' is reached by an application of N ; E ; S ; W, which by square 
must fix ao.o- Hence a' = arj,o- 
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Similarly, pi ensures that square is true at the point ao,i. We now construct a 
square anticlockwise through points eto.i, a>i,i, 0,1,2 and some new point ao,2- The 
idea is essentially dual to the previous case: after applying E; N (reaching ai.2), it 
is necessary that f ix(W ; E) be defined, thus we encounter some new point ao,2- 
From here a further S is forced, and then as E ; N ; W ; S fixes ao,i, we have the 
desired square. 

So far we have not used all the power of the proposition square: in the right hand 
picture in Figure [TJ the bottom left square has a different orientation to the square 
above it. However, each time we extended a new arrow from a point, we did so by 
way of propositions of the form f ix(E ; W) (and so on): thus in fact every arrow 
drawn has an associated converse arrow labelled with the appropriate dual name 
(E switched with W and N switched with S). Once these edges are also drawn, 
both squares so far obtained are identical (two-way edges, with dual labels). So in 
fact, the process can be continued, working out outward from the central diagonal 
(with clockwise constructions below the horizontal and anti-clockwise constructions 
above) until a rectangular grid has been formed. 

Then we apply p% a further time: extending the diagonal to a new point a n , n 
where neon is defined, and filling out the remaining pieces of a larger rectangle and 
so on. 

In this way an infinite grid is interpreted, with neon tile propositions holding 
at infinitely many places on the diagonal. Furthermore, every position in this grid 
can now be visited by first iterating E and then iterating N. Now 7 forces ao to 
be true at Oo,o- And then, working inductively outward from ao,o> the proposition 
P2 ensures that a tiling proposition holds at every one of the selected points and 
that neighbouring squares (horizontally or vertically) have tiling propositions that 
match the tiling constraints. Thus we interpreted a tiling of the positive quadrant 
of the plane in which neon tiles occur infinitely often along the diagonal. As the 
problem in Tiling Fact 1 is £}-complete, thus satisfiability for VPDL is £}-hard and 
validity is Il}-hard. □ 

Recall that if atomic programs are deterministic, then intersection can be used 
to define fix on well-structured programs. This gives the following corollary. 

Corollary 4.2. Satisfiability for SDIPDL is Tl{ -hard. 

Consider the operation of program difference: 

p — q := {(a, b) \ (a, b) € p and(a, b) £ q}. 

It is well known that standard PDL with program complementation is undccidable 
(see [TTJ Theorem 10.12]). Program difference can be expressed in terms of program 
complementation, but the reverse need not be true in the absence of a universal 
program (that is, the universal relation in the relational semantics). As a second 
corollary, we show that standard PDL with program difference is Il}-hard. 

Corollary 4.3. PDL with program difference (whence with program complementa- 
tion) is H\-hard. 

Proof. First observe that program intersection can be expressed from program dif- 
ference: pf)q — p— (p— q). Now observe that fix(p) = ((p)T)A([p— (pflskip)]F). □ 

Theorem 4.4. Fix any variation VPDL of PDL capable of expressing the usual 
connectives on propositions, program composition, while-do, modal operators and 
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fix. The set of VPDL propositions valid over finite relational models of VPDL is 
not recursively enumerable, whence there is no axiomatisation for VPDL over finite 
models. 

Proof. Consider a finite set of tiles T, and consider the proposition 77- := p\ A p2- 
We first show that if 77- is satisfied at some point ao.o in a model then T can tile 
the plane (whence T ^ ^notiting)- The argument is similar to that used to prove 
Theorem 14.11 but we use p\ to produce the diagonal (there are no neon tiles to 
consider). By p±, the proposition square is true, which yields points 00,1, 04,1 and 
01,0, reached successively in following N ; E ; S, with W taking 0,1,0 back to ao.o, and 
with E ; N ; W ; S following through the points in reverse order. Now, by p\ again, 
square is true at 01,1. Thus we obtain points a.1.2, 02,2 and 02.1 forming the rest of 
a new square based at 0.1,1. Now we can fill out these points to a 2 x 2 region using 
the same argument in the proof of Theorem 14. II Then p\ guarantees that square is 
true at 02,2 and so on. Finally, once anuxw grid is interpreted, we can use pi to 
show that precisely one tiling proposition is true at 00,0, and then force a tiling as 
in the proof of Theorem 14.11 

Now observe that if T can tile periodically: that is, can tile the torus Z„ x Z m , 
then 77- can be satisfied in some finite model based on the nm points of Z„ x Z m . 

Thus the set § of finitely satisfiable propositions contains {77- | T £ ^period} 
and is disjoint from {77- | T G SnotUing}- Now § is recursively enumerable (simply 
search for a finite satisfying model) . But it cannot be recursive, because S'period and 
Snotiiing arc recursively inseparable. Hence § is not coRE. Whence the propositions 
valid over finite models of VPDL is not RE. □ 

We mention that in order to express Fix in terms of program equivalence wc in- 
voked the program skip. In the absence of skip (whence also query, as skip = T?), 
it is unclear if Theorem [4J] and Theorem 14 . 41 hold (replacing fix by program equiv- 
alence) . However all of the arguments relating to the encoding of tilings can be rou- 
tinely adapted to the program equivalence situation, with some simplification. As 
a sketch: work with only N and E, and replace the proposition square by statements 
of the form (N ; E) 1x1 (E ; N). 
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